Networking 101

How the Internet Works

CHEAT SHEET

How do we connect two computers in Soda Hall?

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

How do we make Nick's computer talk to Raluca's computer?

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Solution: let's connect these two computers with a wire and write code to send signals from one computer to another!

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Solution: let's connect these two computers with a wire and write code to send signals from one computer to another!

Layer 1: The Physical Layer

Moves bits across space. A.K.A. "the wire" that connects these computers.

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

What about when we have multiple computers that need to talk to each other?

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

We could install a wire between each pair of computers. This might work at MIT, but it wouldn't work at Berkeley EECS's scale :)

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

Instead: connect all computers to one wire, and introduce a protocol to allow them to talk to each other.

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

Instead: connect all computers to one wire, and introduce a protocol to allow them to talk to each other.

Layer 2: The Link Layer

Connects machines in a local area network.

This gray box as a whole is a "Local Area Network" - a group of computers in a building/institution/etc.

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

These computers need a way to identify each other! Let's give each of them a unique address: a MAC address.

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

These computers need a way to identify each other! Let's give each of them a unique address: a MAC address.

MAC: Room 625

MAC: Room 729

MAC: Room 733

A MAC address is like a room number in a building: it's unique within a building, but multiple buildings may share numbers.

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

What if Nick wants to send Dave a message?

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

Nick broadcasts this packet over the shared cable.

MAC: Room 625

MAC: Room 729

MAC: Room 733

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

​

The packet originates from Nick's computer.

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

Because Raluca and Dave are both "listening" to the wire, they both receive the packet.

MAC: Room 625

MAC: Room 729

MAC: Room 733

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

​

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

Raluca looks at the Dest field and discards the packet.

MAC: Room 625

MAC: Room 729

MAC: Room 733

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

Dave looks at the Dest and accepts the packet, since it was meant for him!

​

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

Side note (this will become useful later) - if we set Dest to FF:FF:FF:...:FF, then all computers on the network will accept the packet!

​

This is the broadcast address - a special MAC address.

​

​

​

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

Source: Room 625

Dest: Room 733

Payload: Hi Dave!

Layer 2: The Link Layer

Connects machines in a local area network.

This is Ethernet!

Summary: Layer 1 (Physical) and Layer 2 (Link)

• Layer 1 (Physical) connects two machines together using a physical connection.
• Layer 2 (Link) enables two or more computers connected in a LAN to communicate with each other.
• A 6-byte MAC address is used to uniquely identify machines on a LAN.
• All messages are sent to all other computers, but computers only keep/process messages where the destination MAC address matches their MAC address.
• Ethernet is an example of a Link Layer framework.
• The broadcast MAC address (ff:ff:ff:ff:ff:ff) is used to send a packet to all other machines on the LAN.
• Everything to this point is "best-effort" - so there's nothing built in to ensure that a packet makes reaches its destination.

How do we connect computers between

Soda and Cory Hall?

What if we want to connect two LAN's - e.g. Soda Hall & Cory Hall?

We can use a router to connect multiple LAN's!

Router

We can use a router to connect multiple LAN's!

Router

Layer 3: The Internetwork Layer (a.k.a. IP)

​

This layer connects multiple LAN's to form a WAN (a wide-area network).

​

What if Nick wants to send a message to Claire?

Router

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

We need a way to uniquely identify Nick's computer across the entire internet:

IP Addresses!

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Let's start by assuming that Nick knows Claire's IP address (he gets this through DNS, which is later).

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

Nick can construct a packet that looks like this:

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

But the only way Nick knows how to communicate is over Layer 2! So he wraps his Layer 3 packet in a Layer 2 packet.

Source: Room 625

Dest: ?????????

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

But how does he know what to set the Dest MAC address to?

Source: Room 625

Dest: ?????????

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

Summary: Layer 3 (Internetwork)

• Layer 3 (internetwork) connects multiple LAN's together using routers.
• Layer 3 uses IP Addresses to uniquely identify computers across the world.
• An example 32-bit IP address: 128.32.131.10
• To send a packet using Layer 3, we attach Layer 2 headers on top of it and send the packet over Layer 2.

​

​

​

• We don't know what to set the destination MAC address to yet!

Source: Room 625

Dest: ?????????

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

Layer 2 Headers (these use MAC Addresses)

Layer 3 Headers (these use IP Addresses)

How do we go from IP addresses to MAC addresses?

​

We send packets across a LAN using Layer 2 (link layer), which requires MAC addresses...

ARP: Address Resolution Protocol

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

But how does he know what to set the Dest MAC address to?

Source: Room 625

Dest: ?????????

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

ARP Case #1: Inside the LAN

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

ARP Step 1

Nick broadcasts "What is the MAC address of 129.0.3.18?"

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

ARP Step 2

Raluca responds with:�My MAC address is Room 729, and my my IP address is 129.0.3.18.

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

ARP Step 3

Nick caches the IP <> MAC address mapping & sends the packet.

ARP Case #2: Outside the LAN

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP 129.0.3.1

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

ARP Step 1

Nick looks at his IP address and his "subnet." He realizes the IP address is outside of his LAN…

​

So he broadcasts: "Hey Router (IP 129.0.3.1) - what is your MAC address? I need to send a packet to you to forward to the internet."

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP 129.0.3.1

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

ARP Step 2

The router responds, saying "My MAC address is Y."

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP 129.0.3.1

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

ARP Step 3

Nick caches the IP <> MAC address mapping for the router & sends the packet.

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

ARP Step 3

Nick caches the IP <> MAC address mapping for the router & sends the packet.

Source: Room 625

Dest: Router

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

Layer 3: Addressed to Claire

Layer 2: Addressed to Router

Summary: Address Resolution Protocol (ARP)

• ARP is a protocol that allows us to use what we've established (a Layer 2 connection between devices in a LAN) to translate IP addresses into MAC addresses.
• Protocol:
• Nick wants to send a packet to Raluca, and Nick knows Raluca's IP address (1.1.1.1).
• Nick broadcasts to everyone on the LAN: "What is the MAC address of 1.1.1.1?"
• Raluca responds by sending a message only to Nick: "My IP is 1.1.1.1 and my MAC is ca:...:ef."
• Nick caches the IP address to MAC address mapping.
• If Nick's trying to find the MAC address of an IP address outside of the LAN, he instead asks for the gateway router’s MAC address
• The router will receive the packet and forward it to the next "hop." More on this later.

Security: Address Resolution Protocol (ARP)

• Attack: ARP Spoofing
• Nick requests Raluca's MAC address through ARP.
• Mallory* races Raluca's response with a forged response containing her own MAC address.
• Nick caches the response and sends Raluca's packets to Mallory!�
• Defense: Switches
• Traditionally, we connect all devices in a LAN to a hub.
• Instead, we can connect all devices to a switch - which has a built-in MAC cache to track IP address to MAC address pairings when IP addresses are first assigned!
• Expensive switches will protect against such spoofing, cheap switches will not

​

*Mallory is a local attacker - a.k.a. she's connected to the LAN and can both observe broadcast packets from and send packets to anyone on the LAN.

Ok, so going back to Nick <> Claire...

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

Nick can use ARP to figure out where to send this packet to!

Source: Room 625

Dest: Soda Front Desk

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

MAC: Soda Front Desk

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

In this case, the packet needs to go to the Soda Front Desk.

Source: Room 625

Dest: Soda Front Desk

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

MAC: Soda Front Desk

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

Source: Room 625

Dest: Soda Front Desk

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

The Soda Front Desk will unwrap the MAC header & realize that the packet needs to go to 129.0.4.20.

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

Source: Room 625

Dest: Soda Front Desk

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

The Soda Front Desk will unwrap the MAC header & realize that the packet needs to go to 129.0.4.20.

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

The Soda Front Desk will unwrap the MAC header & realize that the packet needs to go to 129.0.4.20.

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

The Soda Front Desk will send the packet to the Cory Front Desk (see more: BGP).

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

The Cory Front Desk will remove the Layer 2 headers and look at the destination IP once again.

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

Here, the Cory Front Desk can just use ARP to figure out what the MAC address of Claire is!

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

Source: Cory Front Desk

Dest: Room 625

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

Source: Cory Front Desk

Dest: Room 625

​

​

​

​

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

​

​

​

​

​

​

Cory Hall

Claire's Computer

Ranade's Computer

Vlad's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

IP: 129.0.4.20

IP: 129.0.4.17

IP: 129.0.4.99

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

Source: 129.0.3.16

Dest: 129.0.4.20

Payload: Hi Claire!

And finally: Claire can ditch the Layer 2 headers to retrieve the original packet that Nick wanted to send her!

How do computers in Soda & Cory get their

IP Addresses?

​

(and...how do they know what the Router's IP address is?)

DHCP: Dynamic Host Configuration Protocol

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: ????????

IP: 129.0.3.18

IP: 129.0.3.30

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

When Nick first connects to the network, he needs an IP address!

​

He also doesn't know what the IP address of the router is...

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: ????????

IP: 129.0.3.18

IP: 129.0.3.30

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

DHCP Step 1: Client Discover

Nick broadcasts: "Hi everyone! I need a configuration."

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: ????????

IP: 129.0.3.18

IP: 129.0.3.30

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

DHCP Step 1: Client Discover

Nick broadcasts: "Hi everyone! I need a configuration."

DHCP Step 2: Server Offer

Any server able to offer IP addresses (e.g. any router in the LAN) responds with a configuration.

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: ????????

IP: 129.0.3.18

IP: 129.0.3.30

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

DHCP Step 1: Client Discover

Nick broadcasts: "Hi everyone! I need a configuration."

DHCP Step 2: Server Offer

Any server able to offer IP addresses (e.g. any router in the LAN) responds with a configuration.

Your IP: 129.0.3.16

Subnet Mask: 255.255.255.0

Gateway (Router) IP: 129.0.3.1

DNS Server IP: 129.0.3.2

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

DHCP Step 1: Client Discover

Nick broadcasts: "Hi everyone! I need a configuration."

DHCP Step 2: Server Offer

Any server able to offer IP addresses (e.g. any router in the LAN) responds with a configuration.

DHCP Step 3: Client Request

Nick broadcasts which configuration he's chosen: "Hi everyone! I've chosen XYZ as my configuration."

​

​

​

​

​

​

Soda Hall

Nick's Computer

Raluca's Computer

Dave's Computer

MAC: Room 625

MAC: Room 729

MAC: Room 733

Router

IP: 129.0.3.16

IP: 129.0.3.18

IP: 129.0.3.30

MAC: Soda Front Desk

Router

MAC: Cory Front Desk

DHCP Step 1: Client Discover

Nick broadcasts: "Hi everyone! I need a configuration."

DHCP Step 2: Server Offer

Any server able to offer IP addresses (e.g. any router in the LAN) responds with a configuration.

DHCP Step 3: Client Request

Nick broadcasts which configuration he's chosen: "Hi everyone! I've chosen XYZ as my configuration."

DHCP Step 4: Server Ack

The chosen server acknowledges that the configuration has been chosen, and marks Nick's IP address as a "used" address.

Summary: Dynamic Host Configuration Protocol

• DHCP is a protocol that is used when a computer first joins a local network.
• In order to use Layer 3 (IP) to communicate, a computer needs…
• An IP Address
• An IP Address of a DNS Server
• An IP Address of a Router (a.k.a. Gateway)�
• The DHCP handshake follows four steps.
• Client Discover: client broadcasts a request for a configuration.
• Server Offer: any server able to offer IP addresses responds with a configuration.
• This may be called a DHCP lease (and may come with a lease time).
• Client Request: the client broadcasts which configuration it has chosen.
• Server Acknowledge: the chosen server responds with a confirmation.�
• Multiple computers can share a Global IP address using NAT (Network Address Translation)
• The gateway maintains a mapping of internal (source) IP address to remote (destination) IP address
• Local IP's may look like 192.168.1.5 or 10.0.0.5

Security: DHCP

• Attack: DHCP Spoofing
• Nick broadcasts a request for a configuration.
• Mallory races the actual gateway with a response to trick Nick into thinking that Mallory's computer is the gateway (or, alternatively, the DNS server).
• Nick sends all of his packets through Mallory (or makes all of his DNS requests through Mallory).�
• Defense: Rely on higher-layer defenses (e.g. TLS for end-to-end encryption).

​

*Mallory is a local attacker, a.k.a. she's connected to the LAN and can both observe broadcast packets from and send packets to anyone on the LAN.

How do we build apps on top of IP?

​

If we send packets over layer three (internetwork), it's all one-time only AND best-effort only!

We want some notion of a connection...and we also want reliability!

Activity Monitor (on Mac) shows you all of the active connections that your computer has at any given moment!

My laptop has a globally unique IP number.

Each of these applications has a port number that's unique to my computer (managed by the OS).

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Slack

Server

MAC: Room 625

IP: 129.0.4.20

Nick's Slack application:

​

"I want to open up a connection to the Slack server.

​

The service is hosted at IP 129.0.4.20 and Port 80."

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Slack

MAC: Room 625

IP: 129.0.4.20

Nick's OS:

​

Ok, let's initiate a TCP connection! I'll give you (the Slack app) a port number of 1234, since nobody's using that right now.

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Slack

MAC: Room 625

IP: 129.0.4.20

Nick's OS: Let's open up a connection by sending this packet over TCP:

Source Port: 1234

Dest Port: 80

Seq #: Rand()

Flags: SYN

Port: 1234

Port: 80

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Slack

MAC: Room 625

Source IP: 129.0.3.6

Dest IP: 129.0.4.20

​

​

​

​

​

IP: 129.0.4.20

But wait! We need to wrap this packet in a Layer 3 packet in order to actually send it using the IP abstraction!

Source Port: 1234

Dest Port: 80

Seq #: Rand()

Flags: SYN

Port: 1234

Port: 80

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Slack

MAC: Room 625

Source IP: 129.0.3.6

Dest IP: 129.0.4.20

​

​

​

​

​

IP: 129.0.4.20

Source Port: 1234

Dest Port: 80

Seq #: Rand()

Flags: SYN

Port: 1234

Port: 80

Layer 4 (Transport)

Layer 3 (Internetwork)

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Slack

MAC: Room 625

Source IP: 129.0.3.6

Dest IP: 129.0.4.20

​

​

​

​

​

IP: 129.0.4.20

Source Port: 1234

Dest Port: 80

Seq #: Rand()

Flags: SYN

Now that we've tied this back to Layer 3, we're going to abstract that away for the rest of this sequence of events.

Port: 1234

Port: 80

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Slack

MAC: Room 625

IP: 129.0.4.20

How do we establish a TCP connection between these two computers?

Port: 1234

Port: 80

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Source Port: 1234

Dest Port: 80

Seq #: A

Flags: SYN

Step 1: Nick chooses a random sequence number & sends an empty packet with a random sequence number A and the SYN flag set.

Slack

MAC: Room 625

IP: 129.0.4.20

Port: 80

Port: 1234

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Source Port: 1234

Dest Port: 80

Seq #: A

Flags: SYN

Source Port: 80

Dest Port: 1234

Seq #: B

Ack #: A + 1

Flags: SYN/ACK

Step 2: Slack sends back a packet with a random sequence number B, an ack number of A + 1, and the SYN/ACK flags set.

Slack

MAC: Room 625

IP: 129.0.4.20

Port: 80

Port: 1234

Nick's Computer

MAC: Room 625

IP: 129.0.3.6

Source Port: 1234

Dest Port: 80

Seq #: A

Flags: SYN

Source Port: 80

Dest Port: 1234

Seq #: B

Ack #: A + 1

Flags: SYN/ACK

Source Port: 1234

Dest Port: 80

Seq #: A + 1

Ack #: B + 1

Flags: ACK

Step 3: Nick sends a packet with the ACK flag set, with the Seq # set to A + 1 and the Ack # set to B + 1.

Slack

MAC: Room 625

IP: 129.0.4.20

Port: 80

Port: 1234

CORE IDEA: When one side receives a TCP packet, it responds with an ack specifying how much data was received (e.g. by providing the index of the "next" piece of data that it expects).

CORE IDEA: Initial sequence numbers are RANDOM (for security!) and shared through the handshake!

After the handshake occurs, the client and server can communicate by sending packets to each other!

Summary: Transport Layer (TCP, UDP)

• Layer 4 (TCP/UDP) connects processes on machines to each other.
• UDP: Doesn't guarantee order or delivery. Useful for low-latency apps (e.g. video).�Headers: Source Port, Destination Port, Length, Checksum
• TCP: Packets are guaranteed to be delivered (and in the correct order).�Headers: Source/Destination Port, Sequence/Acknowledge Number, Flags, Checksum
• If a packet was dropped in transit, the receiver will never send an ACK, and the sender will resend.
• Similar logic applies for the case where an ACK is dropped in transit.
• The TCP handshake is used to exchange random initial sequence numbers.�
• Each process is assigned a unique 16-bit port number by the OS.
• An IP Address + Port Number uniquely identify one process on one machine.
• On client machines (e.g. laptop), port numbers are arbitrarily assigned.
• On server machines (e.g. web server), port numbers are well-defined and public (e.g. HTTP requests occur over Port 80 & HTTPS over Port 443).

Source MAC: Room 625�Dest MAC: Soda Hall Front Office

​

​

​

​

​

​

​

​

​

​

​

​

Source IP: 129.0.3.6

Dest IP: 129.0.4.20

​

​

​

​

​

​

​

Source Port: 1234

Dest Port: 80

Seq #: A

Ack #: B

Flags: ACK

Data: Hello World!

This is what a packet originating from Nick's computer might look like!

Layer 4: Transport (e.g. TCP)

Layer 3: Internetwork (e.g. IP)

Layer 2: Link (Ethernet)

Security: Transport Layer (TCP/UDP)

• Attack: TCP Packet Injection
• Attacker spoofs a malicious packet, forging headers to trick recipient into thinking it came from other user
• Hard for off-path adversary, since they have to know/guess Client/Server IP/Port and sequence numbers
• Easy for on-path adversary (since they can see headers), but there's a race condition w/ legit packet
• Very easy for MiTM, since they can block the actual packet and send their own forged packet�
• Attack: RST Injection
• Attacker sends a packet with a RST flag, causing the connection to terminate.
• Useful for censorship.�
• Defense: Use TLS!
• But that doesn’t stop RST injection!
• Defense: Use truly random, unpredictable sequence numbers.

​

How do we make TCP secure?

​

We want end-to-end encryption -- in other words, we want to create a secure channel of communication between a client and a server. Sound familiar? Asymmetric encryption?!

TLS: Transport Layer Security

Preface

• TLS provides an end-to-end encrypted channel of communication.
• It's built on top of TCP.
• HTTPS, SMTP, and VPN connections use TLS.
• Messages have both integrity and confidentiality.
• Since we're using asymmetric cryptography, we need a way to track public keys - so we rely on certificate authorities to do this for us.

Browser

MAC: Room 625

IP: 129.0.3.6

Syn

First, we begin with a standard TCP handshake. The browser initiates a connection through a SYN. The server responds with SYN-ACK, and browser sends ACK.

Server

MAC: Room 625

IP: 129.0.4.20

Port: 80

Port: 1234

Ack

Syn-Ack

Browser

MAC: Room 625

IP: 129.0.3.6

Syn

The browser first sends a ClientHello, which presents a random number R_b, and a list of encryption protocols it supports.

Server

MAC: Room 625

IP: 129.0.4.20

Port: 80

Port: 1234

Ack

Hi. My random number is R_b.

I support (TLS/RSA/...) or (SSL/RSA/...)

Syn-Ack

Browser

MAC: Room 625

IP: 129.0.3.6

Syn

The server responds with a ServerHello, which contains a random number, a selected encryption protocol, and the server's certificate, which contains a copy of the server's public key signed by a certificate authority.

Server

MAC: Room 625

IP: 129.0.4.20

Port: 80

Port: 1234

Syn-Ack

Ack

Hi. My random number is R_b.

I support (TLS/RSA/...) or (SSL/RSA/...)

Hello. My random number is Rs. Let's use (TLS/RSA...). Here's my certificate.

Browser

MAC: Room 625

IP: 129.0.3.6

Syn

If the client trusts the certificate authority that signed the certificate, then the client uses the CA's public key to verify that the server's certificate is correct.

Server

MAC: Room 625

IP: 129.0.4.20

Port: 80

Port: 1234

Syn-Ack

Ack

Hi. My random number is R_b.

I support (TLS/RSA/...) or (SSL/RSA/...)

Hello. My random number is Rs. Let's use (TLS/RSA...). Here's my certificate.

Verify certificate.

Browser

MAC: Room 625

IP: 129.0.3.6

Syn

The next step is to generate a random premaster secret (PS) known only to the client and the server. We have two options of doing this: either through RSA, or through Diffie Hellman Key Exchange.

Server

MAC: Room 625

IP: 129.0.4.20

Port: 80

Port: 1234

Syn-Ack

Ack

Hi. My random number is R_b.

I support (TLS/RSA/...) or (SSL/RSA/...)

Hello. My random number is Rs. Let's use (TLS/RSA...). Here's my certificate.

Verify certificate.

Browser

MAC: Room 625

IP: 129.0.3.6

Syn

Approach #1: Generate a premaster secret on the client, and send it to the server through RSA (public-key encryption).

Server

MAC: Room 625

IP: 129.0.4.20

Port: 80

Port: 1234

Syn-Ack

Ack

Hi. My random number is R_b.

I support (TLS/RSA/...) or (SSL/RSA/...)

Hello. My random number is Rs. Let's use (TLS/RSA...). Here's my certificate.

Verify certificate.

Generate premaster secret.

{PS}_{Server's Public Key}

Receive premaster secret.

Browser

Syn

Approach #2: Perform Diffie Hellman Key Exchange.

Server

Syn-Ack

Ack

Hi. My random number is R_b.

I support (TLS/RSA/...) or (SSL/RSA/...)

Hello. My random number is Rs. Let's use (TLS/RSA...). Here's my certificate.

Verify certificate.

{g, p, g^a mod p}_{Server's Public Key}

g^b mod p

Premaster secret is g^ab mod p.

Premaster secret is g^ab mod p.

Browser

Let's abstract away the premaster secret generation for a minute.

Server

Hi. My random number is R_b.

I support (TLS/RSA/...) or (SSL/RSA/...)

Hello. My random number is Rs. Let's use (TLS/RSA...). Here's my certificate.

Derive Premaster Secret through RSA or DH.

Derive Cb, Ib, Cs, Is (encryption/integrity keys for client/server)

Browser

Before we send any messages, we first perform a verification over all of the communication we've done in the handshake and TLS setup process.

Server

Hi. My random number is R_b.

I support (TLS/RSA/...) or (SSL/RSA/...)

Hello. My random number is Rs. Let's use (TLS/RSA...). Here's my certificate.

Derive Premaster Secret through RSA or DH.

Derive Cb, Ib, Cs, Is (encryption/integrity keys for client/server)

MAC(dialog, I_b)

MAC(dialog, I_s)

Browser

And finally, we can send messages using symmetric MAC-then-Encrypt!*

Server

Hi. My random number is R_b.

I support (TLS/RSA/...) or (SSL/RSA/...)

Hello. My random number is Rs. Let's use (TLS/RSA...). Here's my certificate.

MAC(dialog, I_b)

MAC(dialog, I_s)

{Enc{C_b,M₁}, MAC(Enc{C_b,M₁}, I_b)}

Derive Premaster Secret through RSA or DH.

Derive Cb, Ib, Cs, Is (encryption/integrity keys for client/server)

Summary: TLS

• At the end of TLS, we have these guarantees:
• The client is talking to the legitimate server.
• Nobody has tampered with the handshake.
• The client and server share a set of secret symmetric keys, unique to this connection.�
• Note: Using DHE provides forwards secrecy, whereas RSA does not!
• If an attacker discovers the server's secret key at some point in the future, they can decrypt all past recorded connections!
• If we use DH, the things used to generate the secret key cannot be learned (a and b) as part of the communication while a and b are never retained after the connection is done.�
• TLS protects against replay attacks as well!
• Because we use unique nonces at the beginning of the connection!

How does WiFi work?

​

We've talked about Ethernet so far...but what about WiFi?

WPA-PSK

WiFi

• A wireless implementation of the Link Layer (as opposed to Ethernet)
• Behaves similar to Ethernet (e.g. using same packet format + ARP for translation)
• Access points (AP's) broadcast "I am here" with the network name (SSID).
• Devices broadcast request to join a particular network.
• WPA2-PSK is a protocol for secure communication.
• Sanity Check: why don't we have an equivalent for communication over Ethernet? Think about the threat model!

​

Nick's Computer

WiFi Access Point

Configuration: the owner of this AP chooses a SSID and password.

Nick's Computer

WiFi Access Point

Using the SSID and password, the AP derives a PSK (pre-shared key).

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK [Pre-Shared Key]

Nick's Computer

WiFi Access Point

The AP also broadcasts the SSID to everyone nearby.

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK [Pre-Shared Key]

Hello! I am "nickoffice" and available for connection.

Hello! I am "nickoffice" and available for connection.

Hello! I am "nickoffice" and available for connection.

Hello! I am "nickoffice" and available for connection.

Hello! I am "nickoffice" and available for connection.

Nick's Computer

WiFi Access Point

Nick's computer makes an authentication request.

MAC Addresses

MAC Addresses

Nick's Computer

WiFi Access Point

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

Nick's computer makes an authentication request.

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

Both sides derive the pre-shared key (PSK) using PBKDF.

MAC Addresses

MAC Addresses

Nick's Computer

WiFi Access Point

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

Nick's computer makes an authentication request.

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

The AP sends Nick a Anonce.

Both sides derive the pre-shared key (PSK) using PBKDF.

Nick sends the AP a Snonce.

Snonce

Anonce

MAC Addresses

MAC Addresses

Snonce

Anonce

Nick's Computer

WiFi Access Point

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

Nick's computer makes an authentication request.

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

The AP sends Nick a Anonce.

Both sides derive the pre-shared key (PSK) using PBKDF.

Nick sends the AP a Snonce.

Snonce

Anonce

MAC Addresses

MAC Addresses

Snonce

Anonce

PTK

Both sides derive a PTK (pairwise transport key).

PTK

Nick's Computer

WiFi Access Point

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

Nick's computer makes an authentication request.

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

The AP sends Nick a Anonce.

Both sides derive the pre-shared key (PSK) using PBKDF.

Nick sends the AP a Snonce.

Snonce

Anonce

MAC Addresses

MAC Addresses

Snonce

Anonce

PTK

Both sides derive a PTK (pairwise transport key).

PTK

MIC

Both sides exchange MIC's over the exchange so far (MAC's from the crypto unit).

MIC

Nick's Computer

WiFi Access Point

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

Nick's computer makes an authentication request.

SSID: "nickoffice"

Password: "GoBears"

PBKDF

PSK

The AP sends Nick a Anonce.

Both sides derive the pre-shared key (PSK) using PBKDF.

Nick sends the AP a Snonce.

Snonce

Anonce

(Client MAC, Server MAC)

(Client MAC, Server MAC)

Snonce

Anonce

PTK

Both sides derive a PTK (pairwise transport key).

PTK

MIC

The access point encrypts the GTK (Group Terminal Key) using the PTK as an encryption key and sends it to Nick.

Both sides exchange MIC's over the exchange so far (MAC's from the crypto unit).

GTK

GTK

MIC

ACK

GTK used for broadcast. PTK used for client ⇔ router.

Security: WPA2-PSK

• Attack: Rogue Access Point
• Pretend to be an AP and offer the client an ANonce - only works if attacker knows PSK
• Attack: Offline Brute Force
• Try to guess the Wifi password
• Works because Nonces are unencrypted and MAC addresses are public
• Attack: No Forward Secrecy
• If an attacker learns ANonce and SNonce and later discovers the wifi password, they can derive the PTK
• Defense: WPA-Enterprise
• Instead of using PSK, use a one-time randomly generated key by an authentication server
• Requires you to enter username and password to server (ie: Airbears)

Coming Soon...

How do we get from https://apple.com/ to the actual Apple servers?

​

We want a way to transform https://apple.com/ to 195.13.42.13 (an IP address).

How do we get from Soda Hall to

Google's Server Farm in Indiana?

​

How do our packets actually get forwarded across the internet?

EXTENDED: How does Tor work?

Anonymity

• Review: confidentiality, integrity, and authenticity
• Confidentiality: Alice & Bob don't want anyone to learn anything about the contents of their communication (excluding length).
• Integrity: If someone tampers with the message, it should be detected.
• Authenticity: Bob should be able to verify that the message came from Alice.

​

• In certain situations, we want anonymity as well!
• Nobody should be able to tell who took an action (e.g. sent a message, made a query, etc.)
• Aside: anonymity comes with its own challenges (think malicious activity)

Anonymity...on the internet

What if we want Google something without revealing our identity to Google?

​

Our Computer

MAC: Room 625

IP: 129.0.3.6

Google

Server

MAC: Room 625

IP: 129.0.4.20

Source MAC: Room 625�Dest MAC: Soda Hall Front Office

​

​

​

​

​

​

​

​

​

​

​

​

Source IP: 129.0.3.6

Dest IP: 129.0.4.20

​

​

​

​

​

​

​

Source Port: 1234

Dest Port: 80

Seq #: A

Ack #: B

Flags: ACK

Data: Flights to New York

We inherently will reveal our source IP address to Google! This is necessary in order to make the foundational layers of the internet (e.g. IP layer) work as they've been designed...

Layer 4: Transport (e.g. TCP)

Layer 3: Internetwork (e.g. IP)

Layer 2: Link (Ethernet)

What if we used a proxy?

Our Computer

MAC: Room 625

IP: 129.0.3.6

Google

Server

MAC: Room 444

IP: 129.0.4.20

Trusted Proxy

MAC: Room 123

IP: 123.4.6.1

We can introduce a proxy that receives our requests and forwards them onto Google after stripping away our identifying information!

Source MAC: Room 625�Dest MAC: Soda Hall Front Office

​

​

​

​

​

​

​

​

​

​

​

​

Source IP: 129.0.3.6

Dest IP: 129.0.4.20

​

​

​

​

​

​

​

Source Port: 1234

Dest Port: 80

Seq #: A

Ack #: B

Flags: ACK

Data: Flights to New York

The proxy would strip away everything except the bolded text!

but...we now have to trust the proxy!

Onion Routing

Alice

MAC: Room 625

IP: 129.0.3.6

Bob

MAC: Room 444

IP: 129.0.4.20

Frank

Core Design: let's add a bunch of servers in between our computer (Alice) and Google (Bob) hoping that at least one of them can be trusted.

Dan

Charlie

Onion Routing

Alice

MAC: Room 625

IP: 129.0.3.6

Bob

MAC: Room 444

IP: 129.0.4.20

Frank

Charlie is the last link in this chain, so he needs to know the final destination and the final message.

Dan

Charlie

Onion Routing

Alice

MAC: Room 625

IP: 129.0.3.6

Bob

MAC: Room 444

IP: 129.0.4.20

Frank

Dan

Charlie

Receive: (M, Bob)_{Charlie PK}

Receive: (M)

Send: (M)

Onion Routing

Alice

MAC: Room 625

IP: 129.0.3.6

Bob

MAC: Room 444

IP: 129.0.4.20

Frank

Charlie is the last link in this chain, so he needs to know the final destination and the final message.

Dan

Charlie

So she receives (M, Bob)_{Charlie PK}

Onion Routing

Alice

MAC: Room 625

IP: 129.0.3.6

Bob

MAC: Room 444

IP: 129.0.4.20

Frank

Dan

Charlie

Receive: (M, Bob)_{Charlie PK}

Send: (M)

Receive: ((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}

Dan receives this message, decrypts it, and passes along the result to Charlie!

Receive: (M)

Onion Routing

Alice

MAC: Room 625

IP: 129.0.3.6

Bob

MAC: Room 444

IP: 129.0.4.20

Frank

Dan

Charlie

Receive: (M, Bob)_{Charlie PK}

Send: (M)

Receive: ((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}

Receive: (M)

Receive: (((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}, Dan)_{Frank PK}

We add one more node - Frank...and so this message is what Alice originally sends!

Onion Routing

Alice

MAC: Room 625

IP: 129.0.3.6

Bob

MAC: Room 444

IP: 129.0.4.20

Frank

Dan

Charlie

Receive: (M, Bob)_{Charlie PK}

Send: (M)

Receive: ((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}

Receive: (M)

Receive: (((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}, Dan)_{Frank PK}

(((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}, Dan)_{Frank PK}

Alice sends this message!

Onion Routing

Alice

MAC: Room 625

IP: 129.0.3.6

Bob

MAC: Room 444

IP: 129.0.4.20

Frank

Dan

Charlie

Receive: (M, Bob)_{Charlie PK}

Send: (M)

Receive: ((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}

Receive: (M)

Receive: (((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}, Dan)_{Frank PK}

(((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}, Dan)_{Frank PK}

Security guarantees: even if N - 1 nodes are compromised, anonymity is still protected!

Onion Routing

Alice

MAC: Room 625

IP: 129.0.3.6

Bob

MAC: Room 444

IP: 129.0.4.20

Frank

Dan

Charlie

Receive: (M, Bob)_{Charlie PK}

Send: (M)

Receive: ((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}

Receive: (M)

Receive: (((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}, Dan)_{Frank PK}

(((M, Bob)_{Charlie PK}, Charlie)_{Dan PK}, Dan)_{Frank PK}

Security guarantees: even if N - 1 nodes are compromised, anonymity is still protected!

NOTE: Tor still uses the foundation of the internet (e.g. everything up to TLS) for actual device-to-device communication!

Tor

Tor network: a network of many Tor relays (proxies) for forwarding packets.

• Directory server: lists all Tor servers and their public keys
• Tor Browser: A web browser configured to connect to the Tor network
• Tor Onion Services: Servers that can only be reached through the Tor network (e.g. the dark web!)
• Tor Bridges: Tor relays that try to hide the fact that a user is connecting to Tor.

​

Threat Model: client anonymity and censorship resistance; anonymity against local adversaries (e.g. on-path attacker sees Alice send message to Tor, but doesn't identify the final destination of the message. The server doesn't know the identity of the client.)

Alice

Relay

Relay

Relay

Relay

Relay

Bob

Alice forms a Tor connection with the entry node

Then she forms a Tor connection with the second node, through the first node.

Relay

Relay

Relay

Notice: Relay 1 is only relaying Tor cells. It doesn’t know the contents of the cells!

Then she forms a Tor connection with the exit node, through the second node

Finally, she connects to Bob (optionally forming a TLS connection with Bob)

Relay

Alice

Relay

Relay

Relay

Relay

Relay

Bob

Relay 1 knows that Alice is using Tor, but not who Alice is talking to.

Relay 2 knows nothing (other than someone is using Tor).

Relay

Relay

Relay

Relay 3 knows that someone is talking to Bob, but not who.

Relay

Alice

Relay

Relay

Relay

Relay

Relay

Bob

Relay

Relay

Relay

Relay 3 knows that someone is talking to Bob, but not who.

Relay

The exit node can see the message and the recipient. They're essentially a MiTM attacker! If the user isn't using TLS...exit node can see/modify traffic...